Re: [w3c/ServiceWorker] Service workers allow for more responses to be executed as script (#1509) from Lukasz Anforowicz on 2020-04-15 (public-webapps-github@w3.org from April 2020)

From: Lukasz Anforowicz <notifications@github.com>
Date: Wed, 15 Apr 2020 09:34:26 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1509/614145512@github.com>

So, how does the change in behavior look from the CORB perspective?:

- Before the proposed changes: Cross-origin, no-cors non-GET responses are already blocked by CORB **if the response MIME type is CORB-eligible** (html/xml/json/pdf/zip/etc)
- After the proposed changes: Cross-origin, no-cors non-GET responses are **always** blocked by CORB regardless of the response MIME type  (therefore the "after" behavior extends CORB protection to POST responses carrying things like image/png or application/javascript)

Did I get that right?

I think this should work.  CORB only needs to allow legacy no-cors requests (images, scripts, stylesheets, etc.) and AFAIK these should always be GET requests.  So, extending CORB heuristics to cover all non-GET requests makes sense from this perspective (no risk of breaking existing behavior + more requests protected by CORB = seems like a desirable change to me).


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1509#issuecomment-614145512

Received on Wednesday, 15 April 2020 16:34:42 UTC